Extracted

Extracted

Extracted

• • Target

    FloorDivision.luau

  • Size

    101B

  • MD5

    a86589afb1c3e7a84e089abcd70c836e

  • SHA1

    5caeeea4474bac84f7490477491e3903968359a6

  • SHA256

    4f46e7ff197b63e7c809f4def8722cb33a1244e48453e46af4fce77545e3ba04

  • SHA512

    df8c67d030165b694f2a3bfc88d758f37752a0db4d91366c6d73dd5063ed61e45b96fdd478142cb37b32e78066ed17fbd35a046b2d2842b9a95988600d67edf5

  Score

  10^/10

  redlinerhadamanthysbootkitdiscoveryevasionexecutioninfostealerpersistencespywarestealer

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Registers COM server for autorun

    persistence

  • Adds Run key to start application

    persistence

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Writes to the Master Boot Record (MBR)

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence

  • Drops file in System32 directory

  behavioral1